Following "Detected Suspicious Activity," Spotify Resets the Passwords of an "Unspecified" Number of Accounts

Spotify has sent out a new e-mail to users.

An “unspecified” number users have received notifications the music streaming giant had reset their passwords.

The e-mail told users the company made this change “due to detected suspicious activity.”

Confirming the reports, Peter Collins, a Spotify spokesperson, issued the following statement.

As part our ongoing maintenance efforts to combat fraudulent activity on our service, we recently shared a communication with select users to reset their passwords as a precaution.

“As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves.

According to TechCrunch, the e-mails follow a “credential stuffing attack” on the service.  This occurs when hackers find usernames and passwords from other sites (including popular dumping site, Pastebin) and “brute-force” their way into the accounts.

Multiple users admitted to using the same password across different websites.  Others, however, used passwords unique to Spotify.

Speaking about experiencing the same problem two years ago, one user wrote on HackerNews,

I had a similar issue not long ago.  I went in and really changed it into a massive 50 character pw.

“My Spotify account was hijacked in 2017 and managed to get it back – someone from Tunisia – he had the audacity to start creating playlists full autotune rappers.  I wouldn’t mind sharing, but man, his taste in music was awful.

Stating the service denied any database breaches, another user explained,

Same thing happened to me, right around the same time.  Also, my hijacker shared a similar taste in music to yours!  Spotify denied that they had any database breaches, but I only use that password for Spotify, so I find that highly unlikely.

The forced resets come months after major companies reported similar breaches.

Denying the company was hacked last month, Chipotle spokesperson Laurie Schalow said,

We’re] monitoring any possible account security issues which we’re made aware and continue to have no indication a breach private data our customers.”

Following a similar hack late last year, a DoorDash spokesperson denied a data breach had occurred.  Instead, a spokesperson blamed credential stuffing attacks.

We don’t have any information to suggest that DoorDash has suffered a data breach.  To the contrary, based on the information available to us, including internal investigations, we have determined that the fraudulent activity reported by consumers resulted from credential stuffing.